Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166

Similar presentations


Presentation on theme: "© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166"— Presentation transcript:

1 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166

2 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 2 Evolution to Network Access Control Topology Aware to Role Aware Network Address-based Access Control  ACL, VACL, PACL, PBACL etc Network Admission Control (NAC)  Posture validation endpoint policy compliance Cisco TrustSec  Network-wide role-based access control  Network device access control  Consistent policies for wired, wireless and remote access Identity-Based Access Control  Flexible authentication options: 802.1x, MAB, WebAuth, FlexAuth  Comprehensive post-admission control options: dACL, VLAN assignment, URL redirect, QoS…

3 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 3 Authorized Port Enabled Port Status Campus Access Security Vulnerability & Countermeasure Authenticator ACS Wall Jack in Conference Room Or Cubical Area Wiring Closet Switch Campus LAN Authentication Server EAPOL Start EAP Request Port Status Un-Authorized EAP Response (w/ Credentials) Relay Credentials to AAA via RADIUS RADIUS-Accept Supplicant Miscreant User Can Spoof MAC Address of the Authenticated User and gain network access undetected 802.1AE/SAP Enabled Authenticator ACS Wall Jack in Conference Room Or Cubical Area Wiring Closet Switch Campus LAN Authentication Server EAPOL StartEAP Request EAP Response (w/ Credentials) Relay Credentials to AAA via RADIUS RADIUS-Accept (w/ PMK) 802.1AE/SAP Capable Supplicant Miscreant User Can’t Spoof MAC Address of encrypted packets, if encryption is not enable the user’s packets don’t contain integrity information (SA or ICV) and are blocked. PMK used to initiate 4-Way SAP exchange Authorized Encrypted Port Enabled Port Status Cisco TrustSec (CTS) Extends 802.1X to provide continuous data protection Holistic Prevention of: MiM, Spoofing, Tampering & Replay Attacks Prevents Shadow Hosts Attacks Port Status Un-Authorized Countermeasure TrustSec (802.1AE/SAP)

4 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 4 Benefits of Hop-by-Hop Link Encryption In Campus Secure Hop-by-hop Communications Preserves IT Tools For Network Management  Layer 3+ end-to-end encryption for IP traffic and payload  No packet visibility => Prevents IT IDS, Network analysis tools  Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing) E2E  Hop-by-hop security prevents layer 2 attacks  IT has network control, using familiar network tools (IDS, anti-virus, …)  Allows incremental deployment over most vulnerable domains HxH LinkSec

5 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 5 Cipher DataIn the ClearCipher DataIn the ClearCipher Data Link Layer Encryption TrustSec /802.1 AE Encrypted  Hop-by-Hop packet confidentiality and integrity via IEEE 802.1AE  “Bump-in-the-wire” model Packets are encrypted on egress Packets are decrypted on ingress Packets are in the clear in the device  Allows the network to continue to perform all the packet inspection features currently used  Can be incrementally deployed depending on link vulnerability Decrypt On Ingress Interface DecryptIncrypt Encrypt On Egress Interface Packets in the Clear Inside the System

6 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 6 Internet EnterpriseCampus Example Authorization Rule: Authorization Rule : if ((user Role = CRM) then apply SGT = Confidential Authorization Rule : if ((user Role = Finance) then apply SGT = Confidential Authorization Rule : if ((user Role = Portal Y) then apply SGT = Unrestricted Authorization Rule : if ((user Role = Portal Z) then apply SGT = Unrestricted Authorization Rule : if ((user Role = Intranet Portal) then apply SGT = Sensitive Authorization Rule : if ((user Role = ERP) then apply SGT = Confidential Authorization Rule : if ((user Role = Portal Y) then apply SGT = Unrestricted Authorization Rule : if ((user Role = Campus Edge) then apply SGT = Ent. Campus Authorization Rule : if ((user Role = Internet Edge) then apply SGT = Internet Authorization Rule : if ((user Role = Storage Class A) then apply SGT = Data Confidential Dynamic SGT & SGACL Assignment Finance CRMEPRPortal Y Storage Class A Intranet Portal Portal Z D U C CCCCCCCS D U I EE 2. Link Up or Port Enabled – Initiates Endpoint Authentication & Authorization 3. Host Identity Acquired (802.1X, MAB or Pre-provisioned Identity to Port Mapping (IPM)) and relayed via RADIUS to ACS Pre-provisioned Identity to Port Mapping (IPM) 802.1X, MAB or IPM 4. Identity credentials are authenticated and then Authorization Rules are processed, SGTs assigned and SGACLs applied Legend Unauthenticated Campus to DC Port Identity = Campus Edge Port Identity = Internet Edge Server Identity = * 1. Ensure Identities are pre-provisioned (host and or port mapping)

7 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 7 Internet I EnterpriseCampus Example 1: Bi-Directional Enterprise Campus & Unrestricted Servers Finance CRMEPRPortal Y Storage Class A Intranet Portal Portal Z All packets entering the data center from the campus edge are tagged as Ent. Campus Packets from Portal Y server are tagged as Unrestricted Legend Unauthenticated Campus to DC D U C CCCCCCCS D U EE

8 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 8 Unauthenticated Campus to DC Internet Finance CRMEPRPortal Y Storage Confidential Intranet Portal Portal Z I EE EnterpriseCampus D U All packets entering the data center from the campus edge are tagged as Ent. Campus Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Ent. Campus All illustrated; communication from Ent. Campus are Denied to Data Confidential Example 2: Enterprise Campus to Data Confidential Legend C CCC D UCCCCS

9 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 9 IntraDC Use Case Internet Finance CRMEPRPortal Y Storage Confidential Intranet Portal Portal Z I EE EnterpriseCampus All packets from Portal Z are classified as Unrestricted Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Unrestricted All illustrated; communication from Ent. Campus are Denied to Data Confidential Example 3: Unrestricted to Data Confidential Legend D U C CCCCCCCS D U

10 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 10 Data Center Use Case Internet Finance CRMEPRPortal Y Storage Confidential Intranet Portal Portal Z I EE EnterpriseCampus All packets from Storage Confidential are classified as Data Confidential Egress Filtering on the Internet tagged/filtered port denies access from Data Confidential Example 4: Data Confidential to Internet Legend D U C CCCCCCCS D U

11 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 11 Source: Ken Hook Comparison of encryption models Traffic Visibility & Network Manageability Single SA per Link - No Complex Key Management Server Required Hop-by-hop security – Prevents layer 2 attacks Transparent to hosts, applications and servers Packets remain in the clear inside the box preserving the Intelligent Information Network IT has network control, using familiar network tools (IDS, anti-virus, …) Allows incremental deployment over most vulnerable domains Layer 3+ end-to-end encryption for IP traffic and payload No packet visibility => Prevents IT IDS, Network analysis tools Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing) Complex Security Association maintenance E2E* HxH* Host to Server IPSec Negatively Impacts :Host to Server IPSec Negatively Impacts : Deep Packet Inspection Extended ACLs (port/protocol) Full Netflow (port/protocol) Limits QoS (ports) Dramatic reduction of Content & SLB capabilities Increased Network Latency Increased Host/Server CPU/Memory utilization for Header insertion/removal & SAs Weighted Fair Queuing (WFQ) - priority & other flow-based traffic prioritization Breaks NAT (Requires NAT-T) Core Network LinkSec Catalyst Catalyst Catalyst TrustSec Network LinkSec Cisco TrustSec preserves IT tools for network management * E2E = End-to-End, HxH = Hop-by-Hop

12 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 12 Data Center Confidentiality & Integrity  CTS - Network Device Admission Control (NDAC) Mutual Device Authentication (EAP-FAST) Confidential & Authenticated Data Communications CTS Data Center EAP-Fast EAPOL Start EAP_Fast EAPoL Request EAP Response (w/ Device Credentials) Relay Credentials to AAA via RADIUS RADIUS-Accept (w/ Env Data & PMK) PMK used to initiate 4-Way SAP exchange Authorized Encrypted Port Enabled Port Status ACS 5.0 EAPOL StartEAPoL RequestEAP Response (w/ Host Credentials) PMK used to initiate 4-Way SAP exchange Servers w/ 802.1AE NICs Relay Credentials to AAA via RADIUS RADIUS-Accept (w/ PMK) Port Status Un-Authorized Server w/ 802.1AE NICs  CTS - Endpoint Admission Control (EAC) –802.1X Machine Authentication –Confidential & Authenticated Data Communications

13 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 13 Cisco TrustSec Overview Identification and Authorization L2/L3 TrustSec Confidentiality and Integrity Scalable Topology Independent Access Control  Builds a Trusted Network Infrastructure with Network Device Admission Control (NDAC)  Extends IBNS and NAC by adding Topology Independent Ingress Security Group Assignment  Wire-rate Encryption and Data Integrity on L2 Ethernet Switch Ports  Preserves all network based accounting, deep packet inspection, and intelligent services  Uniform encryption—transparent to application, protocols, etc.  Centralized Access Control Policy Administration  Consistent Policy for Wired, Wireless and Remote Access VPNs  Network Access Control Policy is decoupled from Network Topology providing unparalleled scale

14 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 14


Download ppt "© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166"

Similar presentations


Ads by Google